Navigate International Compliance
Figure out which countries’ privacy laws apply to your website and handle them in priority order.
If 95%+ of your customers are in one country, focus on that country’s laws only. International compliance is for businesses actively selling across borders—not every website that might get an EU visitor.
This guide covers: When international laws actually apply, what most small businesses need, and when to get professional help.
What this covers: When international privacy laws (GDPR, UK GDPR, PIPEDA, LGPD) actually apply to your business, what most US small businesses need for international visitors, and when to get legal counsel.
Who it’s for: US-based business owners with some international traffic who need to determine whether they have real compliance obligations beyond domestic law.
Key outcome: You’ll know which international laws apply to your specific situation and have a geo-aware cookie consent banner and multi-jurisdiction privacy policy covering your obligations.
Time to read: 6 minutes
Part of: Privacy & Compliance series
Do You Actually Need International Compliance?
You probably don’t if:
- You’re a US business with 95%+ US customers
- You don’t actively market to other countries
- You don’t have employees or operations abroad
- International sales are incidental, not targeted
You might need it if:
- You actively advertise to customers in specific countries
- You have a localized website (translations, local currency)
- You ship to specific countries as part of your business model
- You have significant revenue (10%+) from a specific foreign market
The practical truth: Having a website accessible from Europe doesn’t automatically require GDPR compliance. GDPR applies when you’re “targeting” EU residents—meaning you actively market to them, not just that they can access your site.
What Most US Small Businesses Need
For typical US small businesses, this covers you internationally:
- Privacy Policy – Covers California (CCPA) and looks professional to international visitors
- Cookie Consent Banner – Handles the occasional EU visitor who finds your site
- Clear Return Policy – If you sell products, this satisfies most jurisdictions
Tools that handle this:
- Complianz (WordPress, free) – Auto-detects visitor location, shows appropriate consent
- Termly (any platform, free tier) – Multi-jurisdiction privacy policy generator
- Iubenda (€27/year) – Strong international coverage
Time: 1-2 hours for complete international basics.
Major International Privacy Laws
If you do need to comply with specific countries, here’s what applies:
European Union (GDPR)
Applies if: You actively market to EU residents (ads, translations, EU pricing)
Key requirements: Cookie consent before tracking, privacy policy with EU rights, respond to data requests within 30 days
Penalties: Up to €20 million or 4% of global revenue
Practical approach: Use Complianz or similar—it handles GDPR automatically
United Kingdom (UK GDPR)
Applies if: You actively market to UK residents (separate from EU post-Brexit)
Key requirements: Similar to EU GDPR with separate compliance
Practical approach: Same tools handle both EU and UK
Canada (PIPEDA)
Applies if: You have Canadian customers and collect their personal data
Key requirements: Consent for data collection, breach notification
Penalties: Up to CAD $100,000 per violation
Practical approach: A good privacy policy with consent mechanisms covers this
Australia (Privacy Act)
Applies if: You have an “Australian link” AND over AUD $3 million in annual revenue
Key requirements: Australian Privacy Principles, breach notification
Practical approach: Most small businesses don’t meet the revenue threshold
Brazil (LGPD)
Applies if: You process Brazilian personal data regardless of business size
Key requirements: Similar to GDPR—consent, transparency, data rights
Practical approach: GDPR-compliant practices generally cover LGPD
US State Privacy Laws
Multiple US states now have privacy laws. If you’re a US business, these may be more relevant than international laws:
- California (CCPA/CPRA) – Applies if you meet revenue or data thresholds
- Virginia, Colorado, Connecticut – Similar requirements, varying thresholds
- More states coming – Texas, Oregon, Montana effective 2026-2025
Practical approach: CCPA compliance usually covers other states. See our CCPA Guide.
When to Get Professional Help
DIY compliance works for most small businesses. Get a lawyer if:
- You have significant revenue (>$1M) from a specific foreign market
- You’re expanding operations into a new country
- You’re handling sensitive data (health, financial, children’s)
- You’ve received a complaint or inquiry from a foreign regulator
- You’re raising investment from foreign investors
The International Compliance Checklist
- You’ve identified which countries you actually target (not just “could access”)
- Cookie consent banner shows appropriate options based on visitor location
- Privacy policy mentions relevant jurisdictions
- You have a process to handle data requests from any jurisdiction
- If needed: consulted a lawyer for specific country requirements
Sources
- GDPR.eu – Official Resource
- California AG – CCPA
- Office of the Privacy Commissioner of Canada – PIPEDA
- ICO – UK GDPR Guidance
- ANPD – Brazil’s National Data Protection Authority (LGPD)
International Compliance Questions Answered
Which countries have data privacy laws similar to GDPR?
Over 140 countries now have data protection laws. The closest to GDPR include the UK (UK GDPR), Brazil (LGPD), Canada (PIPEDA), South Korea (PIPA), Japan (APPI), and Australia (Privacy Act). Many follow GDPR’s consent-based framework, but each has unique requirements for data localization, breach notification timelines, and enforcement mechanisms.
Do you need to store data in each country where you have users?
Most privacy frameworks do not require local data storage, but some do. Russia requires personal data of Russian citizens to be stored on servers within Russia. China’s PIPL requires certain data to remain within China or pass a security assessment for cross-border transfers. GDPR allows transfers outside the EU with adequate safeguards like Standard Contractual Clauses.
How do you handle cookie consent for a global audience?
Implement a geo-aware consent management platform (CMP) that applies the strictest applicable rules based on user location. Show opt-in consent banners for EU visitors (GDPR), opt-out notices for California visitors (CCPA), and adjust for other jurisdictions. Default to the strictest standard if geolocation is uncertain.
What is the EU-US Data Privacy Framework?
The EU-US Data Privacy Framework (adopted July 2023) allows certified US companies to transfer personal data from the EU without additional safeguards. Companies must self-certify with the US Department of Commerce and comply with framework principles. It replaced the invalidated Privacy Shield and faces ongoing legal challenges.
✓ Your Site Handles Multi-Jurisdiction Compliance
- You have identified every country where your site collects personal data and mapped applicable regulations
- Data transfer mechanisms (SCCs or adequacy decisions) are in place for any cross-border personal data flows
- Region-specific consent requirements are implemented (e.g., GDPR opt-in for EU, CCPA opt-out for California)
- Your privacy policy addresses jurisdiction-specific rights and disclosures for each target market
Test it: Use a VPN to access your site from an EU IP address and a US IP address — verify that the correct consent mechanism and privacy disclosures appear for each region.